diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml
index 31a6ee7..dcc7419 100644
--- a/.github/workflows/build-publish-containers.yml
+++ b/.github/workflows/build-publish-containers.yml
@@ -1,11 +1,14 @@
 name: Build and publish container images
 on:
-  pull_request:
-  workflow_dispatch:
-  push:
   schedule:
    # rebuild image every Monday morning
    - cron: '43 3 * * 1'
+  push:
+    paths-ignore:
+      - 'ondemand/**'
+  pull_request:
+    paths-ignore:
+      - 'ondemand/**'
 
 jobs:
   build_publish:
@@ -41,8 +44,9 @@ jobs:
       - name: Determine latest release of VSTS Agent
         if: matrix.tag == 'azure-pipelines-azureagent'
         id: getvstsagentlatest
+        shell: bash
         run: |
-          release=$(curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/microsoft/azure-pipelines-agent/releases/latest | jq -r .name)
+          release=$(curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/microsoft/azure-pipelines-agent/releases/latest | jq -e -r .name)
           echo "Building release $release"
           echo "RELEASE=${release:1}" >> $GITHUB_ENV
 
@@ -55,7 +59,7 @@ jobs:
           path: azure-pipelines-jupyterhub/vsc-config
 
       - name: Build Image
-        uses: redhat-actions/buildah-build@v2.13
+        uses: redhat-actions/buildah-build@v2
         id: build-image
         with:
           tags: latest ${{ github.sha }} ${{ env.IMAGE_TAG }} ${{env.RELEASE}}
@@ -65,7 +69,7 @@ jobs:
             operator_name=${{ secrets.JH_USERNAME }}
             operator_uid=${{ secrets.JH_UID }}
             az_ag_release=${{ env.RELEASE }}
-          dockerfiles: |
+          containerfiles: |
             ./${{ matrix.tag }}/Dockerfile
 
       - name: Print image name and tags
@@ -74,7 +78,7 @@ jobs:
       - name: Publish image on ghcr.io
         id: push-to-ghcr
         if: env.PUBLISH_IMAGES
-        uses: redhat-actions/push-to-registry@v2.8
+        uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ steps.build-image.outputs.image }}
           tags: ${{ steps.build-image.outputs.tags }}
diff --git a/.github/workflows/build-publish-ondemand.yml b/.github/workflows/build-publish-ondemand.yml
new file mode 100644
index 0000000..a0b6cf5
--- /dev/null
+++ b/.github/workflows/build-publish-ondemand.yml
@@ -0,0 +1,86 @@
+name: Build and publish ondemand container
+on:
+  workflow_dispatch:
+    inputs:
+      upstream_version:
+        type: string
+        description: Which version should be build?
+  schedule:
+   # rebuild image every Monday morning
+   - cron: '43 3 * * 1'
+  push:
+    paths:
+      - 'ondemand/**'
+  pull_request:
+    paths:
+      - 'ondemand/**'
+
+env:
+  ood_release_handle: ${{ inputs.upstream_version && format('tags/{0}', inputs.upstream_version) || 'latest' }}
+
+jobs:
+  build_publish_ondemand:
+    name: Build/publish ondemand container
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check if we should publish
+        if: >-
+          (github.event_name == 'push' ||
+          github.event_name == 'schedule' ||
+          github.event_name == 'workflow_dispatch') &&
+          github.ref_name == 'main'
+        run: |
+          echo PUBLISH_IMAGES=1 >> $GITHUB_ENV
+
+      - name: Set a tag based on the date
+        run: |
+          IMAGE_TAG=$(date +"%Y%m%d")
+          echo IMAGE_TAG=$IMAGE_TAG >> $GITHUB_ENV
+          echo "Image tag is $IMAGE_TAG"
+
+      - name: Determine release of ondemand
+        id: getlatestrelease
+        shell: bash
+        run: |
+          release=$(curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/OSC/ondemand/releases/${{ env.ood_release_handle }} | jq -e -r .name)
+          echo "Building release $release"
+          echo "RELEASE=${release}" >> $GITHUB_ENV
+
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          repository: 'OSC/ondemand'
+          ref: '${{ env.RELEASE }}'
+          path: 'ondemand'
+
+      - name: Build Image
+        uses: redhat-actions/buildah-build@v2
+        id: build-image
+        with:
+          tags: latest ${{ env.IMAGE_TAG }} ${{ env.RELEASE }}
+          image: ondemand
+          containerfiles: ondemand/Dockerfile
+          context: ondemand
+          build-args: |
+            VERSION=${{ env.RELEASE }}
+
+      - name: Print image name and tags
+        run: echo "Image ${{ steps.build-image.outputs.image }} build with tags ${{ steps.build-image.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Publish image on ghcr.io
+        id: push-to-ghcr
+        if: env.PUBLISH_IMAGES
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: ghcr.io/${{ github.repository_owner }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Print image url
+        if: env.PUBLISH_IMAGES
+        run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}" >> $GITHUB_STEP_SUMMARY
diff --git a/ondemand/README.md b/ondemand/README.md
new file mode 100644
index 0000000..fbe2d41
--- /dev/null
+++ b/ondemand/README.md
@@ -0,0 +1,12 @@
+# Container for OpenOnDemand
+
+This is to build the upstream container for OpenOnDemand as found in their upstream repo: https://github.com/OSC/ondemand
+
+The dockerfile is at https://github.com/OSC/ondemand/blob/master/Dockerfile
+
+The github action will always build the latest version and tag it with 'latest', the version itself ('v3.1.7') and the date.
+
+Pull from ghcr.io by:
+```
+podman pull ghcr.io/vub-hpc/ondemand:latest
+```